In this article, we compare and explain the search results and methods of Google Hacking’s intitle filter, which searches only sites with specific keywords in the title, and Criminal IP’s title filter.

What is Google Hacking?

Google Hacking is a service that uses Google Search and Google’s applications to find security vulnerabilities in the construction and computer code of a website. The information that can be collected with Google Hacking can be surprisingly diverse. In general, there is a method of narrowing the results to specific conditions using keyword search with quotation marks (” “) and filters such as filetype, site, inurl, and intitle.

Compared to Google, which collects data based on the web, Criminal IP (https://www.criminalip.io/) collects data based on IP and port information. However, if the collected information comes from a web port, results previously invisible in the Google search engine can be found using Criminal IP. In particular, using Google’s intitle: filter shows results for content from a website’s <title> tag, which has very similar functions to Criminal IP’s title: filter. Let’s look at some of Google Hacking’s search tips and compare them to Criminal IP features.

Searching for vulnerable directory listings using dead.letter

intitle:index.of “dead.letter”

Google search result for intitle:index.of "dead.letter".

Google search result for intitle:index.of “dead.letter”

The dead.letter file is an error log generated when a specific error occurs in a Linux/Unix environment. ‘index.of’ is a string that can be viewed when visiting a website with directory listing vulnerabilities, with the search results yielding server addresses with full server accessibility.

서버 파일에 접근 가능한 취약한 서버주소를 확인할 수 있는 index.of 파일. 디렉토리 리스팅 취약점이 있는 웹사이트를 방문하면 볼 수 있는 문자열이다.

An index.of file with vulnerable server addresses with full server accessibility.This particular string is visible and can be used to identify websites with directory listing vulnerabilities.

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<html>
<head>
  <title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>

Criminal IP can yield the same results as shown with the title: filter. Use the query shown below to access Criminal IP’s Asset Search results.

“dead.letter” title:index.of

Criminal IP search result for "dead.letter" itle:index of.

Criminal IP Asset Search results for “dead.letter” title:index.of

Criminal IP search results also show unique data that users cannot access on Google. In addition, Criminal IP identifies data by country, presence/absence of CVE vulnerabilities, and types of web servers involved.

Finding Remote Desktop Servers in Web format

intitle:”Remote Desktop Web Connection” inurl:tsweb

Google search result using intitle:"Remote Desktop Web Connection" inurl:tsweb.

Google search result for intitle:”Remote Desktop Web Connection” inurl:tsweb

Microsoft also provides web versions of RDP servers. In other words, this Google Hacking query can serve as a case example for finding an externally exposed RDP server.

웹 형태로 제공하는 MS RDP 서버. 구글 검색결과에 노출되고 있다

Microsoft RDP server in web format, exposed on Google Hacking search results

Users can access identical queries by using Criminal IP’s title: filter.

title:” Remote Desktop Web Connection”

Criminal IP Image Search results for title:"Remote Desktop Web Connection"

Criminal IP Asset Search results for title:”Remote Desktop Web Connection”

It should also be noted that Criminal IP Image Search provides RDP screenshots for user convenience.

Criminal IP Image Search 에서 검색된 RDP 스크린샷 결과

Criminal IP Image Search results for RDP

Detect Apache Test Pages in Default State

intitle:”Test Page for Apache”

Google Search results for intitle:"Test Page for Apache"

Google Search results for intitle:”Test Page for Apache”

The screenshot below is the default welcome page you see right after installing the Apache server. This is a famous example of a vulnerability that can be found using Google Hacking.

구글 해킹 intitle:"Test Page for Apache" 검색결과에 노출된 아파치 서버 시작 페이지

An exposed Apache Default Welcome page shown on Google Hacking search results for intitle:”Test Page for Apache”

Use the following query to yield the same search results using Criminal IP:

title:”Test Page for Apache installation” 

Criminal IP Asset Search 에서 title:"Test Page for Apache installation" 를 검색한 결과

Criminal IP Asset Search results for title:”Test Page for Apache installation”

It is very evident that Criminal IP’s results tab shows far more data than what users can find using Google Hacking. This can be attributed to IT system set-ups, where systems installed in a default state often lack a domain to be attributed to.  Therefore, compared to Google, which crawls domains more centrally, Criminal IP, which continuously collects IPs worldwide, can provide more detailed search results for default welcome pages.

 We have previously covered the dangers of default welcome pages in our article, Default welcome page exposure: A Significant Security Risk.

Lastly, we would like to note that Google Hacking has far more filters than the intitle: filter we covered today. In addition, search result data can vary wildly between the applications used, with Criminal IP yielding more result volume at times and vice versa. Therefore, using both services can benefit users in collecting more comprehensive threat intelligence.


Source: Criminal IP (https://www.criminalip.io)

Related Article(s):